According to Kaspersky, LunaSpy, an Android spyware, has been active since at least February 2025, distributing itself through messaging applications such as Telegram by impersonating antivirus or banking protection software.
Upon installation, LunaSpy initiates a simulated virus scan, displaying “threats found” warnings to manipulate users into granting extensive permissions. These requested permissions are not utilized for remediation but rather for malicious activities.
Once permissions are acquired, LunaSpy gains the capability to exfiltrate passwords from web browsers and messaging applications. The spyware can also record audio and video, access and read text messages, ascertain the device’s geographical location, and execute arbitrary commands on the compromised device. Furthermore, the most recent iteration of LunaSpy contains dormant code designed for photo exfiltration, indicating a potential future functionality.
The data acquired by LunaSpy is transmitted to the attackers via a network comprising approximately 150 servers. Users are advised to exercise caution regarding application downloads. Specifically, downloading Android Package Kits (APKs) directly from messenger links, even when originating from known contacts whose accounts may be compromised, should be avoided. Additionally, users should be wary of unfamiliar security applications that request broad permissions, as this often indicates malicious intent.
